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<doc> 

<regexp-query> 

<name>Possible SGID Exploi t</name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 

<next> 

</next> 
<next> 

<)ie«r ar9S=NnX " NWUN/ J + U; PPid-N(U%\).*</lin.> 

</pattern> 
<procmatch> 

<actionpair> 

'ajuon^ 9 ^''^"^^^ ^^'■•»^V(»l«N).*</lin.> 

<highlight/> 
<delete/> 

<varop var="agg">%l%</varop> 

</action> 
</actionpair> 
</procmatch> 
<annotation> 



<text>Possible SGID Exploit: %aggK/text> 
</annotation> 



<7regexp-query> 
</doc> 



Figure 26 
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<doc> 

<reqexp-query> 

<name>Possible SUID Exploit </name> 
<propert ies> 

<priority>10< /priority> 
</properties> 
<pattern> 

<next> 

<line>.*exec args=. *pid=\ ( (\d+) \) ; ppid=\ ( \d+\ ) ; uid=\ ( [1-9] \d*\) ; 
euid=\ (0\) . *</line> 
</next> 
<next> 

<line>.+args=\(.+\) ; pid=\(\d+\); ppid-\ (%1%\) . *</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>.*args-\(.+)\); pid-\(\d+\); ppid=\ (%1%\) . *</line> 
<action> 

<highlight/> 

<delete/> 

<varop var^"agg">%l%</varop> 
</action> 

</procmatch> 

<annotation> 

<text>Possible SUID Exploit: %agg%</text> 

</annotation> 
</regexp-query> 
</doc> 
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<doc> 

<regexp-query> 

<name>All Processes</name> 
<propert ies> 

<priority>10</priority> 
</properties> 
<pa t tern> 

<next> 

<line>.*proclog.*args=\( ([\-\.\w\\\/ ]+)\) ,*</line> 
</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>.*args=\ ( ( [\-\.\w\\\/ ] +)\) . *</line> 
<action> 

<highlight/> 
<delete/> 

<varop var="agg">%l%</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Process started: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 



Figure 28 
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<doc> 

<regexp-query> 

<name>Find Processes ... </name> 
<propert ies> 

cpriorit y>10</priority> 
</properties> 
<args> 

<args>, +</args> 

<pid>\d+</pid> 

<ppid>\d+</ppid> 

<uid>\d+</uid> 

<euid>\d+</euid> 

<gid>\d+</gid> 

<egid>\d+</egid> 
</args> 
<pattern> 

<next> 

<line>.*args=\{%args%\); pid=\ ( %pid%\) ; ppid=\ (%ppid%\) ; 
uid=\(%uid%\) ; euid=A (leuid%\) ; gid=\ (%gid% \) ; egid=\ (%egid%\) . *</line> 
</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>. *args=\ ( ( .+) \) ; pid. *</line> 
<action> 

<highlight/> 
<delete/> 

<varop var =,, agg">%l%</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Process started: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 



Figure 29 
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<doc> 

<regexp-query> 

<name>All Shell-spawned Processes</name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 

<next> - 

<line>.*exec args=\ (-sh\) ; pid=\ { ( \d+) \ j . *</line> 

</next> 

<next> 

<line>. *args=\ { ( [\-\w\\\/ ] + ) \) . * Pp id-\ ( m\) . *</Xine> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line> . *args=\ ( ( [\-\w\\\/ ] + ) \> . *ppid=\ (U%\ ) . *</line> 
<action> 

<highlight/> 

<varop var="agg">%l%</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Executed from a shell: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 
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<doc> 

<regexp-query> 

<name> Incoming Connect ions </name> 
<properties> 

<priori ty>10</priori ty> 
</properties> 
<pattern> 

<next> 

<line>. Hncoming connection f rom=\ ( . +\) , *</line> 
</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>. *incoming connection from=\ ((.+): ( +)\) 
to=\((.f) : (.+)\) .*</line> 
<action> 

<highlight/> 
<delete/> 

<varop var= "fromip">U%</varop> 
<varop var= "f romport">%2%</varop> 
<varop var= "toip">l3%</varop> 
<varop var= "toport M >%4K/varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

r« . ■ <text>Incoming Connection From IP: %fromip% {on port: %fromport%} To 
IP: %toip% (on port: %toport%) </text> 

</annotation> 
</regexp-query> 
</doc> 



Figure 31 
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<doc> 

<regexp-query> 

<name>Keystrokes £ntered</name> 
<properties> 

<priority>10</priority> 

</properties> 
<pattern> 

<next> 

<line>.*read stream data, id=\((\d+)\) data=\ { . + \ ) . *</ 1 ine> 
</next> 

<next f romprev="r'> 

<line>.*read stream data, id=\ C%1%\) data=\ ( . *\\0 [ad4 ] . *\) . *</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 



<line>.*read stream data, id=\(%l%\) data*A ( ( . + ) \) . *</line> 
<action> 

<highlight/> 
<delete/> 

<varop var="agg">%l%</varop> 



</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Keystrokes Entered: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 
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cdoc> 

:regexp-query> 

<name>Screen Output</name> 
<properties> 

<priority>10</priority> 

</properties> 
<pattern> 



<riext> 

<line>. 'write stream data, id=\({\d+}\) data=\ { . +\) . *</line> 
</n*ext> 

<next f romprev="l , '> 

<line>. *write stream data, id=\(%l%\) 



<line>. *write stream data, id=\(%l%\) data=\ ( ( .+) \) . *</line> 
<action> 

<highlight/> 
<delete/> 

<varop var="agg">%l%</varop> 



</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Output to screen: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 



data«\ ( . *\\0 [ad4 6] . *\) . *</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 
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<doc> 

<regexp-query> 

<name>Flnd Monitored</name> 
<propert ies> 

<priority>10< /priori ty> 
</properties> 
<args> 

<f ile_name> . +</f ile_name> 

<pid>\d+</pid> 
</args> 
<pattern> 

<next> 

<line>. ^monitored file opened name=\ { % f ile_name% \ ) 
pid=\(%pid%\) . *</line> 
</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>. *mpnitored file opened name=\ { ( . +) \) 
pid=\{ (.+)\) .*</line> 

<action> 

<highlight/> 
<delete/> 

<varop var= n f ilename">%l%</varop> 
<varop var-"pidvar">%2$</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>File Opened: %filename% (from pid: %pidvar% ) </text> 
</annotation> 
</regexp-query> 
</doc> 
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